Mailing List Archive

Hi.

Am Donnerstag, den 25.04.2019, 08:42 +0200 schrieb Bernhard Reiter:
> Am Freitag 19 April 2019 15:50:13 schrieb Daniel Kahn Gillmor:
> > GnuPG master already defaults RSA keys to 3072 bits,
> > I agree that it makes sense to do this on the 2.2 branch.

> FWIW I also agree to switch the default.
> It matches modern recommendations for mid/long term security,
> e.g. from
> https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.1.pdf

> This is even when considering the FAQ linked
> from https://wiki.gnupg.org/LargeKeys

Yes, we should switch for sure. I am using Keys with 4096 bit keys for
a longer while, now. AFAIR since GPG supports it. I even would prefer
this to be the default.


> > Will GnuPG ever support RSA-3072 or RSA-4096 by default?
> > Probably not.
> > Every minute we spend arguing about whether we should change the
> > defaults to RSA-3072 or more is one minute the shift to ECC is
> > delayed.

> Is ECC ready to be the default?
> My estimation is: It is not, and then we should switch the default to
> RSA3072 until it is.

I am concerned that such a default switch would break the compatiblity
to many running foreign implementations of OpenPGP. On my side I am not
using ECC for two reasons. The first is, the card does noit support the
curve I would prefer. The second an more important one is that some of
my communicationd partners use another implementations, or use Apps on
their mobiles for email which don't support ECC. Openkeychain, for
example, does not support ECC, or it did not. I didn't test it for a
while and did not look into it's documentation while writing this
email.

> My estimation is based on:
> * There are some GNU/Linux LTS distros in use that still have GnuPG
> 2.0 (E.g. Jessie, but probably others. Could be examined)
> * Ed25519 and Curve25519 are not in an agreed standard (as 4880bis is
> not ready and probably won't be for a while) While I blieve it is
> okay to move forward, other implementations may not be because of the
> missing standard. Example: OpenPGPjs just has a young implementation
> (Dec 2018 saw a major security release version 4.3.0)

A default switch would not be a problem if it would not break the
compatiblity itself as the other key types are still there. But users
who did not dig deeper into this topic often use the defaults.

I think we should establish the standard for ECC in OpenPGP first and
then wait a while before switching to ECC as default.

Regards,
Dirk
--
Dirk Gottschalk
Ardennenstrasse 25
52076 Aachen, Germany

GPG: 4278 1FCA 035A 9A63 4166 CE11 7544 0AD9 4996 F380
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

On Thu, 25 Apr 2019 08:42, bernhard@intevation.de said:

> Is ECC ready to be the default?
> My estimation is: It is not, and then we should switch the default to RSA3072
> until it is.

2.3 will use ed25519/cv25519 as default algorithms for new keys. All
other major implementations support ed25519 and thus we are ready to
switch this summer.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Am Freitag 03 Mai 2019 16:10:48 schrieb Werner Koch:
> On Thu, 25 Apr 2019 08:42, bernhard@intevation.de said:
> > Is ECC ready to be the default?
> > My estimation is: It is not, and then we should switch the default to
> > RSA3072 until it is.
>
> 2.3 will use ed25519/cv25519 as default algorithms for new keys.  All
> other major implementations support ed25519 and thus we are ready to
> switch this summer.

What will the status of a 2.3.0 release be?
(Is it a "development" line or ready for packaging?)

Would it make sense to announce the step so people could flag potential
implementations that may be interesting from an interoperability side?

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner